Method and apparatus for anomaly detection in a network

1. A method for anomaly detection in a network, the method performed by an apparatus configured for monitoring performance of the network and comprising: receiving a stream of time-series data from one or more nodes in the network, the time-series data comprising data items comprising or derived from performance or service-quality measurements for one or more categories of network performance; dividing the stream into sub-streams, each sub-stream corresponding to one of the one or more categories of network performance; and for each of the sub-streams: reconstructing a plurality of phase spaces, each phase space having two or more dimensions corresponding to respective system variables of the network represented by the sub-stream and reconstructed by applying a corresponding embedding function to the sub-stream, to obtain feature vectors corresponding to respective ones of the data items comprising the sub-stream, each corresponding embedding function having a unique pairing of embedding dimension and lag for the sub-stream; for each phase space, identifying feature vectors that lie outside of a normal range learned for the phase space; detecting anomalous data items in the sub-stream by detecting data items for which the corresponding feature vectors all lie outside normal ranges learned for the respective phase spaces; and storing or reporting indications of the anomalous data items.

2. The method of claim 1 , wherein the normal range for each phase space is initially learned from a training data set and is periodically updated based on data items subsequently received for the corresponding sub-stream that are not detected as anomalous.

3. The method of claim 1 , wherein the normal range for each phase space is based on One Class Support Vector Machine (OCSVM).

4. The method of claim 1 , wherein the time-series data comprises Key Performance Indicator (KPI) data which is a measure of network performance or service quality provided by the network.

5. An apparatus comprising a processor and a memory, said memory comprising instructions executable by said processor whereby said apparatus is operative to: receive a stream of time-series data from one or more nodes in the network, the time-series data comprising data items comprising or derived from performance or service-quality measurements for one or more categories of network performance; divide the stream into sub-streams, each sub-stream corresponding to one of the one or more performance categories; and for each of the sub-streams: reconstruct a plurality of phase spaces, each phase space having two or more dimensions corresponding to respective system variables of the network represented by the sub-stream and reconstructed by applying a corresponding embedding function to the sub-stream, to obtain feature vectors corresponding to respective ones of the data items comprising the sub-stream, each corresponding embedding function having a unique pairing of embedding dimension and lag for the sub-stream; for each phase space, identify feature vectors that lie outside of a normal range learned for the phase space; detect anomalous data items in the sub-stream by detecting data items for which the corresponding feature vectors all lie outside normal ranges learned for the respective phase spaces; and store or report indications of the anomalous data items.

6. The apparatus of claim 5 , wherein the normal range for each phase space is initially learned from a training data set and is periodically updated based on data items subsequently received for the corresponding sub-stream that are not detected as anomalous.

7. The apparatus of claim 5 , wherein the normal range for each phase space is based on One Class Support Vector Machine (OCSVM).

8. The apparatus of claim 5 , wherein the time-series data comprises Key Performance Indicator (KPI) data which is a measure of network performance or service quality.